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A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
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Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 
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1)[3 Responsive to communication(s) filed on 31 October 2001 . 
2a)D This action is FINAL. 2b)^ This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quay/e, 1935 C D. 1 1 , 453 O.G. 213. 
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4) ^ Claim(s) 1-17 is/are pending in the application. 
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5) D Claim(s) is/are allowed. 

6) ^ Claim(s) 1-17 is/are rejected. 
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8) D Claim(s) are subject to restriction and/or election requirement. 
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DETAILED ACTION 



Specification 



The examiner suggests the applicants to provide the serial numbers of all 
copending applications mentioned on page 1. 

Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 1 02 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

2. Claims 1-17 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Vaidya US (6,279,113) in view of Walker US (6,134,664). 

As per claiml : Vaidya discloses a node of a network for managing an intrusion 
protection system, the node comprising: 

a memory module for storing data in machine-readable format for retrieval and 
execution by a central processing unit; and (Col 6, Lines 3-11 and items 39,32 
and 36 of FIG. 2) 

an operating system comprising a network stack comprising a protocol driver and 
a media access control driver and operable to execute an intrusion protection 
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system management application (Col 6, Lines 11-18 and Col 7, Lines 12-24), the 
management application operable to receive text-file input an input device (Col 7, 
lines 24-36, and Col 6, Lines 53-56), the text file defining a network exploit rule 
(Col 5, lines 33-38) but Vaidya doesn't explicitly disclose the file comprising at 
least one field. However Walker discloses a method for reducing native audit 
data or signatures for analysis by intrusion detection engine (Col 4, Lines 37-40) 
where he formats the audit record to comprise plurality of fields (Col 1 1 , Lines 
29-35). Therefore it would been obvious to one ordinary skilled in the art at the 
time the invention was made to modify Vaidya system to use signatures files 
comprising at least one filed. One would be motivated to do so in order to enable 
the system to identify different signatures and take different set of actions for the 
different signatures to improve the performance of the intrusion detection 
system. (Col 4, Lines 45-49) 

As per claim 2: Vaidya doesn't explicitly disclose the node according to claim 1, 
wherein the network exploit rule further comprises a field selected from the group 
consisting of an ENABLED field and a SEVERITY field. . However Walker 
discloses a method for reducing native audit data or signatures for analysis by 
intrusion detection engine (Col 4, Lines 37-40) where he formats the audit record 
to comprise plurality of fields like a type of record field and a primary 
discriminator field (Col 11, Lines 29-35). Therefore it would been obvious to one 
ordinary skilled in the art at the time the invention was made to modify Vaidya 
system to use signatures files comprising at least one filed. One would be 
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motivated to do so in order to enable the system to identify different signatures 
and take different set of actions for the different signatures to improve the 
performance of the intrusion detection system. (Col 4, Lines 45-49) 

As per claim 3: Vaidya discloses the node according to claim 1, wherein the node 
is operable to compile the text-file into a machine-readable signature-file and 
transmit the machine-readable signature-file to at least one other node of the 
network. (Col 6, Lines 50-56) 

As per claim 4, 9: The node according to claim 1, further comprising a database, 
the node operable to store a plurality of text-files, each respectively defining a 
network-exploit rule, in the database. (Col 6, Lines 3-7 and Col 5, Lines 47-65) 

As per claim 5, 10: The node according to claim 2, further comprising a machine- 
readable signature-file database operable to store a plurality of machine- 
readable signature-files each generated from one of a respective plurality of text- 
files(Col 6, Lines 3-11), the management application operable to transmit a 
subset of the plurality of machine-readable signature-files to another node 
connected to the network. (Col 6, Lines 44-56) 

As per claims 6, 1 1 and 17: Vaidya discloses the subset of the signatures include 
all the signatures of all nodes reside on that segment of the network but doesn't 
explicitly disclose the subset of signatures comprises all machine-readable 
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signature-files of the plurality of machine-readable signature-files each generated 
from a respective text-file having an asserted ENABLED field value. However 
Walker discloses a method for reducing native audit data or signatures for 
analysis by intrusion detection engine (Col 4, Lines 37-40) where he formats the 
audit record to comprise plurality of fields (Col 11, Lines 29-35) and according to 
the value of a specific filed in the record (Col 1 1 , lines 42-49) a decision whether 
to reduce the record or to forward the record for further consideration by the 
intrusion detection engine (Col 12, Lines 43-46) . Therefore it would been 
obvious to one ordinary skilled in the art at the time the invention was made to 
modify the system to send signatures having an asserted enabled field value. 
One would be motivated to do so in order to enable the system to identify which 
signatures need to be used on that node which ultimately improve the 
performance of the intrusion detection system by reducing the number of 
signatures the node has to consider.(Col 4, Lines 45-49) 

As per claims 7, 12 and 15: Vaidya doesn't explicitly disclose management 
application is operable to accept a SEVERITY threshold from the input device 
and the subset of signatures comprises all machine-readable signature-files 
respectively generated from a text-file having a SEVERITY field value equal to or 
greater than the threshold. However Walker discloses a method for reducing 
native audit data or signatures for analysis by intrusion detection engine (Col 4, 
Lines 37-40) where he eliminates records bases on a values or ranges of some 
fields in the record (Col 19, Lines 38-46) and a decision whether to reduce the 
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record or to forward the record for further consideration by the intrusion detection 
engine is made based on those values (Col 12, Lines 43-46 and Col 20, lines 5- 
20). Therefore it would been obvious to one ordinary skilled in the art at the time 
the invention was made to modify the system to include a threshold value and 
process signatures having a severity value greater than the specified threshold to 
improve the performance. One would be motivated to do so in order to enable 
the system to identify which signatures need to be used on that node and enable 
the system to weight records using barriers and boundaries (Col 4, Lines 29-33) 
which ultimately improve the performance of the intrusion detection system by 
reducing the number of signatures the node has to consider. (Col 4, Lines 45-49) 

As per claim 8: Vaidya discloses a method of distributing command and security 
updates in a network having an intrusion protection system, comprising: 
generating a text-file defining a network-exploit rule; (Col 5, Lines 33-39; Col 5, 
Lines 51-63 and Col 6, Lines 44-56) 

but Vaidya doesn't explicitly disclose specifying at least one field selected from 
the group consisting of an ENABLED field value and a SEVERITY level field 
value during generation of the text-file. However Walker discloses a method for 
reducing native audit data or signatures for analysis by intrusion detection engine 
(Col 4, Lines 37-40) where he formats the audit record to comprise plurality of 
fields like a type of record field and a primary discriminator field (Col 1 1 , Lines 
29-35). Therefore it would been obvious to one ordinary skilled in the art at the 
time the invention was made to modify Vaidya system to use signatures files 
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comprising at least one filed. One would be motivated to do so in order to enable 
the system to identify similar signatures and execute the same set of instructions 
for the similar signatures to improve the performance of the intrusion detection 
system by reducing the number of signatures the system have to examine.(Col 4, 
Lines 45-49) 

As per claim 13: Vaidya discloses a computer-readable medium having stored 
thereon set of instructions to be executed, the set of instructions, when executed 
by a processor, cause the processor to perform a computer method of: 
reading input from an input device of the computer; compiling the input into a 
machine-readable signature file (Col 5, lines 51-63) comprising 
machine-readable logic representative of the network-exploit rule (Col 5, Lines 
33-39) and 

but Vaidya doesn't explicitly disclose the signature file comprising a group of 
fields consisting of enabled field and severity field and evaluating the signature 
files based on those fields 1 values. However Walker discloses a method for 
reducing native audit data or signatures for analysis by intrusion detection engine 
(Col 4, Lines 37-40) where he include a value fields in the data records (Col 1 1 , 
Lines 29-35) and eliminates records bases on a values or ranges of those fields 
in the record (Col 19, Lines 38-46) and a decision whether to reduce the record 
or to forward the record for further consideration by the intrusion detection engine 
is made based on those values (Col 12, Lines 43-46 and Col 20, lines 5-20). 
Therefore it would been obvious to one ordinary skilled in the art at the time the 
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invention was made to modify the system to include a plurality of fields in the 
signature files and evaluating the signatures based on the values of those fields. 
One would be motivated to do so in order to enable the system to identify which 
signatures need to be used on that node which ultimately improve the 
performance of the intrusion detection system by reducing the number of 
signatures the node has to consider.(Col 4, Lines 45-49) 

As per claim 14: Vaidya doesn't disclose the method of claim 13 comprising 
specifying a threshold value. However Walker discloses a method for reducing 
native audit data or signatures for analysis by intrusion detection engine (Col 4, 
Lines 37-40) where he eliminates records based on a specified values or ranges 
of some fields in the record (Col 19, Lines 38-46) and a decision whether to 
reduce the record or to forward the record for further consideration is made 
based on those values (Col 12, Lines 43-46 and Col 20, lines 5-20). Therefore it 
would been obvious to one ordinary skilled in the art at the time the invention was 
made to modify the system to enable the system to specify a threshold value and 
process signatures based on this value. One would be motivated to do so in 
order to enable the system to identify what signatures to use on a specific node 
which ultimately improve the performance of the intrusion detection system by 
reducing the number of signatures the node has to consider.(Col 4, Lines 45-49) 

As per claim 16: Vaidya discloses the computer readable medium according to 
claim 13, further comprising a set of instruction that, when executed by the 
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processor, cause the processor to perform the computer method of generating a 
text-file from the input (Col 5, Lines 51-63 and Col 6, Lines 44-56), the text-file 
specifying the network-exploit rule (Col 5, lines 33-39) ) but Vaidya doesn't 
explicitly disclose the file comprising at least one field. However Walker 
discloses a method for reducing native audit data or signatures for analysis by 
intrusion detection engine (Col 4, Lines 37-40) where he formats the audit record 
to comprise plurality of fields (Col 11, Lines 29-35). Therefore it would been 
obvious to one ordinary skilled in the art at the time the invention was made to 
modify Vaidya system to use signatures files comprising at least one filed. One 
would be motivated to do so in order to enable the system to identify different 
signatures and take different set of actions for the different signatures to improve 
the performance of the intrusion detection system.(Col 4, Lines 45-49). 

Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Firas Alomari whose telephone number is 
(571) 272-7963. The examiner can normally be reached on M-F from 7:30 am - 
4:00 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, AYAZ SHEIKH can be reached on (571) 272-3795. The 
fax phone number for the organization where this application or proceeding is 
assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). 
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